On Tue, 15 May 2007 09:25:39 -0500, McKown, John wrote:
>> >
>> Why does RACF not support rules restricting the set of users
>> who may ENQ
>> on protected data set names?
>
>Wrong question. The proper question could possibly be: "Why doesn't
>ALLOCATION or maybe ENQ issue a RACF query to determine if a user may
>use a particular resource?" Please remember that RACF only answers a
>question of the form: "Can user ??? access resource ??? in mode ???".
>The answer can be "yes", "no", or "not defined". It is up to the program
>which issued the RACROUTE to determine what to do with the answer.
>
Thanks for the clarification; I stand corrected.
>Now, as to a dataset access in JCL, a job can attempt to access a
>dataset in many different modes (ALTER to create or delete, CONTROL for
>some VSAM options such as ICI, UPDATE for update or READ to read it).
>Except in the case of creating or deleting a dataset, the access
>required is not known until the program actually issues the OPEN for it.
>So the initiator, which allocates the dataset, cannot know before then
>what ACCESS to request. Now, you could argue that if the ACCESS is NONE,
>then the initiator could give an immediate JCL error and I would agree.
>But that is up to the initiator code to check and respond to. It is not
>up to RACF. RACF is not a "traffic cop" monitoring everything via some
>sort of "hook". RACF is an information counter and if you don't ask, he
>doesn't go grabbing you and forcing information upon you (so to speak).
>
And now I'll try to clarify my intent. The resource in question here is
not the data set proper, but control of use of its name via ENQ. This
is a real resource, subject to real contention as evidenced by the OP's
problem. It should not be possible for interlopers to preempt it from
legitimate users. Consider:
//STEP1 EXEC PGM=BPXBATCH,PARM='pgm sleep 9999'
//STEP2 EXEC PGM=IEFBR14,COND=(0,LE)
//SYSUT1 DD DISP=MOD,DSN=SYS1.WHATEVER
As far as I know, this job will run without error even if the owner has
ACCESS=NONE to SYS1.WHATEVER. But for nearly three hours other users will
be unable to allocate SYS1.WHATEVER. There ought to be enforcement of a
rule against this. And, in my view, that enforcement ought more properly
to be done not by allocation nor by the initiator, but by GRS, the most
proximate component. And this is different from the current protocol
controlling access to data sets: it's quite appropriate that a user should
be denied EXC access to a PDSE even though he may have UPDATE access to
edit members, for example.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
